Please enable the Active Directory Recycle Bin

Listen, we are all about future you here. Anything that you do now should make future work easier. If you are managing an Active Directory environment, double check that the AD recycle bin is enabled before you need to restore an object in AD. To check this, fire up a PowerShell session and run:

PowerShell

1

Get-ADOptionalFeature-Filter*

This cmdlet does require the Active Directory module that is installed as a part of RSAT. You should see the Recycle Bin feature listed near the top with items listed in the EnabledScopes member. In the screenshot below, the AD Recycle Bin is not enabled and this admin is one deletion away from a resume update.

If you see the Recycle Bin feature with objects listed next to EnabledScopes and are comfortable with restoring objects, you are golden. You may continue here to learn something random. Else, continue on.

How to Enable the Active Directory Recycle Bin

Start PowerShell with an enterprise administrator account on the domain controller holding the domain naming master role. Running netdom query fsmo will show you which DC this is. Run the following in that PowerShell prompt:

How to Recover Objects with the Active Directory Recycle Bin

To restore the object, you can use the Get-ADObject cmdlet with the -includeDeletedObjects parameter and pass that information to the Restore-ADObject cmdlet. The easier way is to just launch the Active Directory Administrative Center on a 2012R2/Windows 8.1+ machine. Navigate to the Deleted Objects container under your domain. Close ADAC and reopen it if you don’t see it at first.

Find your object in the container and right click on it to Restore. The last known parent column will show you where the object will be placed.

Time for a trust building exercise with Active Directory. Find your domain controllers OU and … kidding… kidding… Besides, you protect all of your important objects with the Accidental Deletion flag, right?